Should we be able to say no to tap-and-go technology?

Tap and no thanks

Last updated: 28 April 2015

Is it a bit cheeky for the financial services industry to foist a new payment technology on consumers without giving us a chance to opt out?

That's what happened when credit card giants Visa and MasterCard launched tap-and-go payWave and PayPass, respectively, starting in about 2009. Some
consumers are still miffed at being denied a chance to say no to their credit and debit cards having the 'contactless payments' technology – a 'Stop
forcing people into PayPass or payWave' Facebook page has been up and running since September 2012.

In an April 2015 Voice Your Choice survey, most members said they were concerned about near field communication (NFC) security. On the other hand, only
about a quarter said they'd have opted out if given the chance.

The benefits promoted by the credit card giants are familiar by now to most of us – you can make quick, low-cost purchases ($100 or less) without having to
bother with a signature or personal identification number (or PIN). 'Tap and go' was sold as a breakthrough in the ever-evolving field of payment
technology designed for your convenience – whether you like it or not.

Another point of view is that Visa and MasterCard adopted the technology to push people into using their cards more often, since more transactions mean
more revenue. If that was the plan, it seems to be working. Visa's Australian country manager Vipin Kalra reported early last year that
the uptake of payWave was robust, with over 28 million transactions a month at more than 100,000 contactless terminals. He also revealed that contactless
purchasing was leading consumers to buy more stuff.

New Zealand bank offers a way out

Resentment across the Tasman about being force-fed payWave and PayPass has led New Zealand bank ASB to give consumers the option of turning off the technology as of April this year. The bank released its 'Card Control' app that communicates with the chip on your payment card and allows you to deactivate the NFC. Even more helpfully, the app allows you to stop transactions on the card altogether if you lose it, and reactivate transactions once you find it – a lot easier than having to cancel the card and get a new one.

How safe is tap-and-go technology?

Since the introduction of radio-frequency identification (RFID) chips on credit cards with NFC technology, there's been increasing concern about security.

In one high-profile case in 2012, a well-known computer security expert named Kristin Paget reportedly demonstrated at an annual conference of hackers in
Washington, D.C. that your credit card number, expiration data and CVV number (the three numbers on the back that online merchants frequently ask for)
could be 'ripped' (copied) from your card via the RFID chip.

With a Vivotech RFID credit reader bought on eBay for $50 and a $300 card magnetizer, Paget transferred a volunteer audience member's data to a blank card.
Then, with a readily available iPhone attachment, she paid herself $15 from the volunteer's credit card account.

But that would be a comparatively sophisticated form of NFC fraud, and there's no evidence so far that it's happening in the real world. More
realistically, a crook could simply rack up a series of $100-or-less payments with your card before you realise the purchases have been made.

One consumer who contacted CHOICE said he didn't realise his lost card was NFC-equipped and only found out money was going missing when he happened to
check his account online.

What are your rights if someone misuses your tap-and-go card?

The Financial Ombudsman Service (FOS) will take complaints about card issuers (also known as banks) who refuse to provide refunds for unauthorised
transactions, but only after you've attempted to work it out with the card issuer yourself. Technically, banks don't have to offer refunds if you take too
long to tell them your card has been lost or stolen.

But there is another level of protection. Visa and MasterCard products come with chargeback rights, which means you'll generally have up to 120 days to
report fraudulent activity and have the missing money credited to your account.

A FOS spokesperson told us payWave and PayPass disputes "have been slightly increasing, which is reflective of the large number of transactions conducted,
but pleasingly, most of them are quickly resolved, and the money amounts are typically small".

The exact terms and conditions of your payWave or PayPass-enabled card depend on which bank issued it. But US-based Visa says its 'zero liability' policy
covers Australian-issued cards, though the policy does not apply to transactions "not processed by Visa or certain commercial card transactions".

MasterCard also has a 'zero liability' policy with its own restrictions. You're only covered, for instance, if you have "exercised vigilant care", tell the
card issuer about fraud "immediately and without delay" and "have not reported two or more incidents of unauthorised use in the preceding 12 months".

If your card is lost or stolen, multiple $100 transactions can be made without any form of authentication (such as a signature or PIN) before the
unauthorised activity is discovered.

Lack of documentation for transactions – such as receipts – makes it hard for cardholders to reconcile statements against purchases, which makes
fraudulent transactions harder to detect.

Victoria saw a big jump in payment card fraud from 2013–14 to 2014–15, most of which, rightly or not, was attributed to tap-and-go technology. In May last
year the state's then-Police Minister Kim Wells went on record as saying banks were shirking their duty to prevent illicit transactions.

Visa and MasterCard weigh in

Visa and MasterCard reject claims that NFC technology is a security risk. A Visa spokesperson told us payWave's "multiple layers of security" make the
cards "virtually impossible to counterfeit", but added that cardholders "should treat their cards like their cash and report any suspicious activity to
their banks".

MasterCard acknowledged that data from payment cards can be read by unauthorised NFC applications but says that "such data cannot be re-used to make a
counterfeit card, and is typically not sufficient to perform an e-commerce transaction".

"Cardholders are covered from the costs of unauthorised transactions as long as they do everything they can to protect themselves from fraud," the
MasterCard spokesperson said.

What you told us

We heard from hundreds of CHOICE members about Visa payWave and MasterCard PayPass. Some were worried about security; others not so much.

No worries:

"Don't really see how it makes it less secure. You need to be holding the card to make it work and there's a limit, whereas with just the credit cards
details someone could buy anything online."

"If the cards are 'hacked' or compromised by another means while in my normal possession I would dispute the charge with my bank or financial institution,
[the] same as [with] any other unauthorised transaction."

"I am careful, and also believe that the banks would not provide the feature if it were not secure."

Yes worries:

"If the card is stolen, charges can be made quickly and easily."

"I was initially concerned about the ease with which the card could be used if it fell into the wrong hands. The convenience of the system has caused me to
conveniently overlook the potential security risk. I wouldn't want it available for anything larger than $100."

"Any wireless capability can be hacked. However, I keep a close eye on my online statements and keep my credit limits low. I don't have payWave on my
primary savings account."

If you'd like to share your opinions and experiences with CHOICE, join our new private member research community at www.voiceyourchoice.com.au.

CHOICE verdict

The jury may be out on whether NFC technology represents a new area of risk for consumers, but we don't have any reason at the moment to believe it's any
less safe than other existing card payments methods. It's probably a good idea, though, to keep a firm grip on any payment system that allows purchases
without a signature or PIN.